1. Field of the Invention
The present invention relates to a method for securing over-the-air communication in a wireless system.
2. Description of Related Art
In a wireless communication system, the handsets, often called mobiles, purchased by mobile users are typically taken to a network service provider, and long keys and parameters are entered into the handset to activate service. The network of the service provider also maintains and associates with the mobile, a copy of the long keys and parameters for the mobile. As is well-known, based on these long keys and parameters, information can be securely transferred between the network and the mobile over the air.
Alternatively, the user receives long keys from the service provider over a secure communication channel, like a telephone/land line, and must manually enter these codes into the mobile.
Because the transfer of the long keys and parameters is performed via a telephone/land line or at the network service provider as opposed to over the air, the transfer is secure against over the air attacks. However, this method of securely transferring information places certain burdens and restrictions on the mobile user. Preferably, the mobile user should be able to buy their handsets and then get service from any service provider without physically taking the handsets to the provider""s location or having to manually, and error free, enter long keys into the mobile. The capability to activate and provision the mobile remotely is part of the North American wireless standards, and is referred to as xe2x80x9cover the air service provisioningxe2x80x9d (OTASP).
Currently, the North American Cellular standard IS41-C specifies an OTASP protocol using the well-known Diffe-Hellman (DH) key agreement for establishing a secret key between two parties. FIG. 1 illustrates the application of the DH key agreement to establishing a secret key between a mobile 20 and a network 10 used in IS41-C. Namely, FIG. 1 shows, in a simplified form for clarity, the communication between a network 10 and a mobile 20 according to the DH key agreement. As used herein, the term network refers to the authentication centers, home location registers, visiting location registers, mobile switching centers, and base stations operated by a network service provider.
The network 10 generates a random number RN, and calculates (g{circumflex over ( )}RNmod p). As shown in FIG. 1, the network 10 sends a 512-bit prime number p, a generator g of the group generated by the prime number p, and (g{circumflex over ( )}RN mod p) to the mobile 20. Next, the mobile 20 generates a random number RM, calculates (g{circumflex over ( )}RM mod p), and sends (g{circumflex over ( )}RM mod p) to the network 10.
The mobile 20 raises the received (g{circumflex over ( )}RN mod p) from the network 10 to the power RM to obtain (g{circumflex over ( )}RMRN mod p). The network 10 raises the received (g{circumflex over ( )}RM mod p) from the mobile 20 to the power RN to also obtain (g{circumflex over ( )}RMRN mod p). Both the mobile 20 and the network 10 obtain the same result, and establish the 64 least significant bits as the long-lived or root key called the A-key. The A-key serves as a root key for deriving other keys used in securing the communication between the mobile 20 and the network 10.
One of the problems with the DH key exchange is that it is unauthenticated and susceptible to a man-in-the-middle attack. For instance, in the above mobile-network two party example, an attacker can impersonate the network 10 and then in turn impersonate the mobile 20 to the network 10. This way the attacker can select and know the A-key as it relays messages between the mobile 20 and the network 10 to satisfy the authorization requirements. The DH key exchange is also susceptible to off-line dictionary attacks.
The method for securing over-the-air communication in wireless system according to the present invention disguises an OTASP call as a normal system access to defeat attacks. According to the present invention, a mobile sends a system access request and dummy data associated with the system access request to a network. The network sends a first data stream including a first data portion to the mobile in response to the system access request and the dummy data. The mobile extracts the first data portion from the first bit stream, and sends a second bit stream, which includes a second data portion, to the network. The network extracts the second data portion from the second data stream.
Both the mobile and the network generate a key based on the first data portion and the second data portion, and establish a first encrypted and authenticated communication channel using the key. The mobile then transfers authorizing information to the network over the first encrypted and authenticated communication channel. If accepted, a second encrypted and authenticated communication channel is established. Over the second encrypted and authenticated communication channel, the network then sends sensitive information such as the root or A-key to the mobile.
An attacker monitoring the communication between the mobile and network according to the present invention would recognize the communication as a normal system access, and presumably fail to mount an attack. However, if an attack is mounted, an attacker must block a significant number of system accesses to find a disguised OTASP call. This denial of service to mobile users makes locating and stopping an attacker fairly easy.